fix(deps): update apollo graphql packages (major)

[renovate]

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence	Type	Update
@apollo/client (source)	3.14.0 -> 4.0.10					dependencies	major
@apollo/server (source)	4.12.2 -> 5.2.0					dependencies	major
apollo-router	1.45.0 -> 2.0.0					dependencies	major
ghcr.io/apollographql/router	v1.61.10 -> v2.9.0						major
com.apollographql.federation:federation-graphql-java-support	4.5.0 -> 5.4.0					dependencies	major

---

Release Notes

apollographql/apollo-client (@​apollo/client)

v4.0.10

Compare Source

Patch Changes

• #​13045 af4acdc Thanks @​phryneas! - Fix memory leak #​13036

v4.0.9

Compare Source

Patch Changes

• #​12993 8f3bc9b Thanks @​jerelmiller! - Fix an issue where switching from options with variables to skipToken with useSuspenseQuery and useBackgroundQuery would create a new ObservableQuery. This could cause unintended refetches where variables were absent in the request when the query was referenced with refetchQueries.

v4.0.8

Compare Source

Patch Changes

• #​12983 f6d0efa Thanks @​CarsonF! - Fix cache.modify() mapping readonly arrays to singular reference

v4.0.7

Compare Source

Patch Changes

• #​12950 5b4f36a Thanks @​jerelmiller! - Don't send operationType in the payload sent by GraphQLWsLink.

v4.0.6

Compare Source

Patch Changes

• #​12937 3b0d89b Thanks @​phryneas! - Fix a problem with fetchMore where the loading state wouldn't reset if the result wouldn't result in a data update.

v4.0.5

Compare Source

Patch Changes

• #​12920 e2fc385 Thanks @​phryneas! - Fix an invariance type error in the MockedResponse type.

v4.0.4

Compare Source

Patch Changes

• #​12892 db8a04b Thanks @​jerelmiller! - Prevent unhandled rejections from the promise returned by calling the mutate function from the useMutation hook.

• #​12899 5352c12 Thanks @​phryneas! - Fix an issue when invariant is called by external libraries when no dev error message handler is loaded.

• #​12895 71f2517 Thanks @​jerelmiller! - Support skipToken with useQuery to provide a more type-safe way to skip query execution.

  import { skipToken, useQuery } from "@​apollo/client/react";
  
  // Use `skipToken` in place of `skip: true` for better type safety
  // for required variables
  const { data } = useQuery(QUERY, id ? { variables: { id } } : skipToken);

  Note: this change is provided as a patch within the 4.0 minor version because the changes to TypeScript validation with required variables in version 4.0 made using the skip option more difficult.

• #​12900 c0d5be7 Thanks @​phryneas! - Use named export equal instead of default from "@​wry/equality"

v4.0.3

Compare Source

Patch Changes

• #​12887 6f6ca47 Thanks @​phryneas! - Fix accidental deep re-export from /react out of /react/internals

• #​12890 019b422 Thanks @​jerelmiller! - Ensure the variables option for useMutation provides proper IntelliSense suggestions.

v4.0.2

Compare Source

Patch Changes

• #​12880 56fac52 Thanks @​phryneas! - restore getMemoryInternals access in dev builds

v4.0.1

Compare Source

Patch Changes

• #​12876 b00f231 Thanks @​phryneas! - Fix CJS build output for invariantErrorCodes

• #​12866 0d1614a Thanks @​jerelmiller! - Export isNetworkStatusInFlight from @apollo/client/utilities. Add isNetworkStatusSettled to @apollo/client/utilities and re-export it from @apollo/client with a deprecation.

v4.0.0

Compare Source

apollographql/apollo-server (@​apollo/server)

v5.2.0

Compare Source

Minor Changes

• #​8161 51acbeb Thanks @​jerelmiller! - Fix an issue where some bundlers would fail to build because of the dynamic import for the optional peer dependency on @yaacovcr/transform introduced in @apollo/server 5.1.0. To provide support for the legacy incremental format, you must now provide the legacyExperimentalExecuteIncrementally option to the ApolloServer constructor.

  import { legacyExecuteIncrementally } from '@​yaacovcr/transform';
  
  const server = new ApolloServer({
    // ...
    legacyExperimentalExecuteIncrementally: legacyExecuteIncrementally,
  });

  If the legacyExperimentalExecuteIncrementally option is not provided and the client sends an Accept header with a value of multipart/mixed; deferSpec=20220824, an error is returned by the server.

v5.1.0

Compare Source

Minor Changes

• #​8148 80a1a1a Thanks @​jerelmiller! - Apollo Server now supports the incremental delivery protocol (@defer and @stream) that ships with [email protected]. To use the current protocol, clients must send the Accept header with a value of multipart/mixed; incrementalSpec=v0.2.

  Upgrading to 5.1 will depend on what version of graphql you have installed and whether you already support the incremental delivery protocol.

v5.0.0

Compare Source

BREAKING CHANGES

Apollo Server v5 has very few breaking API changes. It is a small upgrade focused largely on adjusting which versions of Node.js and Express are supported.

Read our migration guide for more details on how to update your app.

• Dropped support for Node.js v14, v16, and v18, which are no longer under long-term support from the Node.js Foundation. Apollo Server 5 supports Node.js v20 and later; v24 is recommended. Ensure you are on a non-EOL version of Node.js before upgrading Apollo Server.
• Dropped support for versions of the graphql library older than v16.11.0. (Apollo Server 4 supports graphql v16.6.0 or later.) Upgrade graphql before upgrading Apollo Server.
• Express integration requires a separate package. In Apollo Server 4, you could import the Express 4 middleware from @apollo/server/express4, or you could import it from the separate package @as-integrations/express4. In Apollo Server 5, you must import it from the separate package. You can migrate your server to the new package before upgrading to Apollo Server 5. (You can also use @as-integrations/express5 for a middleware that works with Express 5.)
• Usage Reporting, Schema Reporting, and Subscription Callback plugins now use the Node.js built-in fetch implementation for HTTP requests by default, instead of the node-fetch npm package. If your server uses an HTTP proxy to make HTTP requests, you need to configure it in a slightly different way. See the migration guide for details.
• The server started with startStandaloneServer no longer uses Express. This is mostly invisible, but it does set slightly fewer headers. If you rely on the fact that this server is based on Express, you should explicitly use the Express middleware.
• The experimental support for incremental delivery directives @defer and @stream (which requires using a pre-release version of graphql v17) now explicitly only works with version 17.0.0-alpha.2 of graphql. Note that this supports the same incremental delivery protocol implemented by Apollo Server 4, which is not the same protocol in the latest alpha version of graphql. As this support is experimental, we may switch over from "only alpha.2 is supported" to "only a newer alpha or final release is supported, with a different protocol" during the lifetime of Apollo Server 5.
• Apollo Server is now compiled by the TypeScript compiler targeting the ES2023 standard rather than the ES2020 standard.
• Apollo Server 5 responds to requests with variable coercion errors (eg, if a number is passed in the variables map for a variable declared in the operation as a String) with a 400 status code, indicating a client error. This is also the behavior of Apollo Server 3. Apollo Server 4 mistakenly responds to these requests with a 200 status code by default; we recommended the use of the status400ForVariableCoercionErrors: true option to restore the intended behavior. That option now defaults to true.
• The unsafe precomputedNonce option to landing page plugins (which was only non-deprecated for 8 days) has been removed.

Patch Changes

There are a few other small changes in v5:

• #​8076 5b26558 Thanks @​valters! - Fix some error logs to properly call logger.error or logger.warn with this set. This fixes errors or crashes from logger implementations that expect this to be set properly in their methods.

• #​7515 100233a Thanks @​trevor-scheer! - ApolloServerPluginSubscriptionCallback now takes a fetcher argument, like the usage and schema reporting plugins. The default value is Node's built-in fetch.

• Updated dependencies [100233a]:

  • @​apollo/server-gateway-interface@​2.0.0

apollographql/router (apollo-router)

v2.9.0

Compare Source

🚀 Features

Add CORS Private Network Access support (PR #​8279)

CORS configuration now supports private network access (PNA). Enable PNA for a CORS policy by specifying the private_network_access field, which supports two optional subfields: access_id and access_name.

Example configuration:

cors:
  policies:
    - origins: ["https://studio.apollographql.com"]
      private_network_access:
        access_id:
    - match_origins: ["^https://(dev|staging|www)?\\.my-app\\.(com|fr|tn)$"]
      private_network_access:
        access_id: "01:23:45:67:89:0A"
        access_name: "mega-corp device"

By @​TylerBloom in #​8279

Configure maximum HTTP/2 header list size (PR #​8636)

The router now supports configuring the maximum size for HTTP/2 header lists via the limits.http2_max_headers_list_bytes setting. This protects against excessive resource usage from clients sending large sets of HTTP/2 headers.

The default remains 16KiB. When a client sends a request with HTTP/2 headers whose total size exceeds the configured limit, the router rejects the request with a 431 error code.

Example configuration:

limits:
  http2_max_headers_list_bytes: "48KiB"

By @​aaronArinder in #​8636

Customize response cache key per subgraph via context (PR #​8543)

The response cache key can now be customized per subgraph using the apollo::response_cache::key context entry. The new subgraphs field enables defining separate cache keys for individual subgraphs.

Subgraph-specific data takes precedence over data in the all field—the router doesn't merge them. To set common data when providing subgraph-specific data, add it to the subgraph-specific section.

Example payload:

{
  "all": 1,
  "subgraph_operation1": "key1",
  "subgraph_operation2": {
    "data": "key2"
  },
  "subgraphs": {
    "my_subgraph": {
      "locale": "be"
    }
  }
}

By @​bnjjj in #​8543

Add telemetry selector for Cache-Control metrics (PR #​8524)

The new response_cache_control selector enables telemetry metrics based on the computed Cache-Control header from subgraph responses.

Example configuration:

telemetry:
  exporters:
    metrics:
      common:
        service_name: apollo-router
        views:
          - name: subgraph.response.cache_control.max_age
            aggregation:
              histogram:
                buckets:
                - 10
                - 100
                - 1000
                - 10000
                - 100000
  instrumentation:
    instruments:
      subgraph:
        subgraph.response.cache_control.max_age:
          value:
            response_cache_control: max_age
          type: histogram
          unit: s
          description: A histogram of the computed TTL for a subgraph response

By @​bnjjj in #​8524

🐛 Fixes

Remove _redacted suffix from event attributes in apollo.router.state.change.total metric (Issue #​8464)

Event names in the apollo.router.state.change.total metric no longer include the _redacted suffix. The metric now uses the Display trait instead of Debug for event names, changing values like updateconfiguration_redacted to updateconfiguration in APM platforms.

The custom behavior for UpdateLicense events is retained—the license state name is still appended.

By @​rohan-b99 in #​8464

Preserve Content-Length header for responses with known size (Issue #​7941)

The router now uses the Content-Length header for GraphQL responses with known content lengths instead of transfer-encoding: chunked. Previously, the fleet_detector plugin destroyed HTTP body size hints when collecting metrics.

This extends the fix from #​6538, which preserved size hints for router → subgraph requests, to also cover client → router requests and responses. Size hints now flow correctly through the entire pipeline for optimal HTTP header selection.

By @​morriswchris in #​7977

Correct apollo.router.operations.subscriptions.events metric counting (PR #​8483)

The apollo.router.operations.subscriptions.events metric now increments correctly for each subscription event (excluding ping/pong/close messages). The counter call has been moved into the stream to trigger on each event.

This change also removes custom pong response handling before connection acknowledgment, which previously caused duplicate pongs because the WebSocket implementation already handles pings by default.

By @​rohan-b99 in #​8483

Unify timeout codes in response caching metrics (PR #​8515)

Tokio- and Redis-based timeouts now use the same timeout code in apollo.router.operations.response_cache.*.error metrics. Previously, they were inadvertently given different code values.

By @​carodewig in #​8515

📃 Configuration

Remove unused TTL parameter from response cache Redis configuration (PR #​8513)

The ttl parameter under redis configuration had no effect and is removed. Configure TTL at the subgraph level to control cache entry expiration:

preview_response_cache:
  enabled: true
  subgraph:
    all:
      enabled: true
      ttl: 10m  # ✅ Configure TTL here
      redis:
        urls: [ "redis://..." ]
        # ❌ ttl was here previously (unused)

By @​carodewig in #​8513

📚 Documentation

Document active subgraph requests selector (PR #​8530)

The telemetry selectors documentation now correctly reflects the active_subgraph_requests attribute.

By @​faisalwaseem in #​8530

Add Redis cache suggestions to response cache documentation (PR #​8624)

The FAQ now includes information about supported Redis versions and Redis key eviction setup.

By @​carodewig in #​8624

v2.8.2

Compare Source

🐛 Fixes

Support arrays in complex @key fields for entity caching (PR #​8367)

Entity caching now supports arrays (including arrays of objects and scalars) in complex @key fields when resolving entities by key. This improves entity matching when using complex @key fields as primary cache keys.

By @​aaronArinder, @​bnjjj, and @​duckki in #​8367

Parse scientific notation correctly in Rhai scripts (PR #​8528)

The router now correctly parses scientific notation (like 1.5e10) in Rhai scripts and JSON operations. Previously, the Rhai scripting engine failed to parse these numeric formats, causing runtime errors when your scripts processed data containing exponential notation.

This fix upgrades Rhai from 1.21.0 to 1.23.6, resolving the parsing issue and ensuring your scripts handle scientific notation seamlessly.

By @​BrynCooke in #​8528

Support enum types in @cacheTag directive format (PR #​8496)

Composition validation no longer raises an error when using enum types in the @cacheTag directive's format argument. Previously, only scalar types were accepted.

Example:

type Query {
  testByCountry(id: ID!, country: Country!): Test
    @​cacheTag(format: "test-{.id}-{.country}")
}

By @​bnjjj in #​8496

Improve debugging data with caching flag and enhanced warnings (PR #​8459)

Debugging data now includes a flag that indicates to Apollo Sandbox whether the data should be cached, preventing unnecessary local computation. This update also includes improved warnings.

By @​bnjjj in #​8459

Display cache tags from subgraph responses in debugger (PR #​8531)

The debugger now displays cache tags generated from subgraph responses (in extensions). For performance reasons, these generated cache tags are only displayed when the data has been cached in debug mode.

By @​bnjjj in #​8531

📚 Documentation

Clarify guidance for OpenTelemetry "Recommended" attributes in telemetry documentation

The router telemetry documentation now clarifies that OpenTelemetry's "Recommended" attributes from their development-status GraphQL semantic conventions are experimental and still evolving. Apollo recommends using required attributes instead of recommended attributes because of high cardinality, security, and performance risks with attributes like graphql.document.

Learn more in Router Telemetry.

By @​abernix

🧪 Experimental

Prevent panic when record/replay plugin encounters non-UTF-8 header values (PR #​8485)

The record/replay plugin no longer panics when externalizing headers with invalid UTF-8 values. Instead, the plugin writes the header keys and errors to a header_errors object for both requests and responses.

By @​rohan-b99 in #​8485

v2.8.1

Compare Source

🔒 Security

[!NOTE]
For more information on the impact of the fixes in this release and how your deployment might be affected or remediated, see the corresponding GitHub Security Advisory (GHSA) linked on the entries below. In both listed cases, updating to a patched Router version will resolve any vulnerabilities.

Fix authorization plugin handling of polymorphic types

Updates the auth plugin to correctly handle access control requirements when processing polymorphic types.

When querying interface types/fields, the auth plugin was verifying only whether all implementations shared the same access control requirements. In cases where interface types/fields did not specify the same access control requirements as the implementations, this could result in unauthorized access to protected data.

The auth plugin was updated to correctly verify that all polymorphic access control requirements are satisfied by the current context.

See GHSA-x33c-7c2v-mrj9 for additional details and the associated CVE number.

By @​dariuszkuc

Fixed authorization plugin handling of directive renames

The router auth plugin did not properly handle access control requirements when subgraphs renamed their access control directives through imports. When such renames occurred, the plugin’s @link-processing code ignored the imported directives entirely, causing access control constraints defined by the renamed directives to be ignored.

The plugin code was updated to call the appropriate functionality in the apollo-federation crate, which correctly handles both because spec and imports directive renames.

See GHSA-g8jh-vg5j-4h3f for additional details and the associated CVE number.

By @​sachindshinde

v2.8.0

Compare Source

🚀 Features

Response caching

Available on all GraphOS plans including Free, Developer, Standard and Enterprise.

Response caching enables the router to cache GraphQL subgraph origin responses using Redis, delivering performance improvements by reducing subgraph load and query latency. Unlike traditional HTTP caching or client-side caching, response caching works at the GraphQL entity level—caching reusable portions of query responses that can be shared across different operations and users.

Response caching caches two types of data:

• Root query fields: Responses for root field fetches
• Entity representations: Individual entities, offering reuse across queries

Benefits include:

• Active cache invalidation: Target specific cached data for immediate removal using cache tags
• Cache debugger: Debugging in Apollo Sandbox shows cache status, TTLs, and cache tags during development
• GraphQL-aware: Understands GraphQL operations to improve partial cache hit rates while respecting data visibility and authorization
• Entity-level granularity: Caches at the entity level rather than entire responses
• Flexible TTL control: Data cached using HTTP Cache-Control headers from subgraph origins

Response caching solves traditional GraphQL caching challenges including mixed TTL requirements across a single response, personalized versus public data mixing, and high data duplication.

Configure response caching using the preview_response_cache configuration option with Redis as the cache backend. For complete setup instructions and advanced configuration, see the Response Caching documentation.

Migration from entity caching: For existing entity caching users, migration is as simple as renaming configuration options. For migration details see the Response Caching FAQ.

Support per-stage coprocessor URLs (PR #​8384)

You can now configure different coprocessor URLs for each stage of request/response processing (router, supergraph, execution, subgraph). Each stage can specify its own url field that overrides the global default URL.

Changes:

• Add optional url field to all stage configuration structs
• Update all stage as_service methods to accept and resolve URLs
• Add tests for URL validation and per-stage configuration

This change maintains full backward compatibility—existing configurations with a single global URL continue to work unchanged.

By @​cgati in #​8384

Add automatic unit conversion for duration instruments with non-second units

The router now automatically converts duration measurements to match the configured unit for telemetry instruments.
Previously, duration instruments always recorded values in seconds regardless of the configured unit field.
When you specify units like "ms" (milliseconds), "us" (microseconds), or "ns" (nanoseconds),
the router automatically converts the measured duration to the appropriate scale.

Supported units:

• "s" - seconds (default)
• "ms" - milliseconds
• "us" - microseconds
• "ns" - nanoseconds

[!NOTE]
Use this feature only when you need to integrate with an observability platform that doesn't properly translate from source time units to target time units (for example, seconds to milliseconds). In all other cases, follow the OTLP convention that you "SHOULD" use seconds as the unit.

Example:

telemetry:
  instrumentation:
    instruments:
      subgraph:
        acme.request.duration:
          value: duration
          type: histogram
          unit: ms # Values are now automatically converted to milliseconds
          description: "Metric to get the request duration in milliseconds"

By Jon Christiansen in #​8415

Add response reformatting and result coercion errors (PR #​8441)

All subgraph responses are checked and corrected to ensure alignment with the schema and query. When a misaligned value is returned, it's nullified. When enabled, errors for this nullification are now included in the errors array in the response.

Enable this feature in your router configuration:

supergraph:
  enable_result_coercion_errors: true

When enabled, the router generates validation errors with the code RESPONSE_VALIDATION_FAILED for any values that don't match the expected GraphQL type. These errors include the specific path and reason for the validation failure, helping you identify data inconsistencies between your subgraphs and schema.

While this feature improves GraphQL correctness, clients may encounter errors in responses where they previously did not, which may require consideration based on your specific usage patterns.

By @​TylerBloom in #​8441

Add router overhead metric (PR #​8455)

The apollo.router.overhead histogram provides a direct measurement of router processing overhead. This metric tracks the time the router spends on tasks other than waiting for downstream HTTP requests—including GraphQL parsing, validation, query planning, response composition, and plugin execution.

The overhead calculation excludes time spent waiting for downstream HTTP services (subgraphs and connectors), giving you visibility into the router's actual processing time versus downstream latency. This metric helps identify when the router itself is a bottleneck versus when delays are caused by downstream services.

Note: Coprocessor request time is currently included in the overhead calculation. In a future release, coprocessor time may be excluded similar to subgraphs and connectors.

telemetry:
  instrumentation:
    instruments:
      router:
        apollo.router.overhead: true

[!NOTE]
Note that the use of this metric is nuanced, and there is risk of misinterpretation. See the full docs for this metric to help understand how it can be used.

By @​BrynCooke in #​8455

Include invalid Trace ID values in error logs (PR #​8149)

Error messages for malformed Trace IDs now include the invalid value to help with debugging. Previously, when the router received an unparseable Trace ID in incoming requests, error logs only indicated that the Trace ID was invalid without showing the actual value.

Trace IDs can be unparseable due to invalid hexadecimal characters, incorrect length, or non-standard formats. Including the invalid value in error logs makes it easier to diagnose and resolve tracing configuration issues.

By @​juancarlosjr97 in #​8149

Add ability to rename metrics (PR #​8424)

The router can now rename instruments via OpenTelemetry views. Details on how to use this feature can be found in the docs.

Benefits:

• Cost optimization: Some observability platforms only allow tag indexing controls on a per-metric name basis. Using OTLP semantic naming conventions and having the same metric name emitted by different services can prevent effective use of these controls.
• Convention alignment: Many customers have specific metric naming conventions across their organization—this feature allows them to align with those conventions.

By @​theJC in #​8412

🐛 Fixes

Reload telemetry only when configuration changes (PR #​8328)

Previously, schema or config reloads would always reload telemetry, dropping existing exporters and creating new ones.

Telemetry exporters are now only recreated when relevant configuration has changed.

By @​BrynCooke in #​8328

Replace Redis connections metric with clients metric (PR #​8161)

The apollo.router.cache.redis.connections metric has been removed and replaced with the apollo.router.cache.redis.clients metric.

The connections metric was implemented with an up-down counter that would sometimes not be collected properly (it could go negative). The name connections was also inaccurate since Redis clients each make multiple connections, one to each node in the Redis pool (if in clustered mode).

The new clients metric counts the number of clients across the router via an AtomicU64 and surfaces that value in a gauge.

[!NOTE]
The old metric included a kind attribute to reflect the number of clients in each pool (for example, entity caching, query planning). The new metric doesn't include this attribute; the purpose of the metric is to ensure the number of clients isn't growing unbounded (#​7319).

By @​carodewig in #​8161

Prevent entity caching of expired data based on Age header (PR #​8456)

When the Age header is higher than the max-age directive in Cache-Control, the router no longer caches the data because it's already expired.

For example, with these headers:

Cache-Control: max-age=5
Age: 90

The data won't be cached since Age (90) exceeds max-age (5).

By @​bnjjj in #​8456

Reduce config and schema reload log noise (PR #​8336)

File watch events during an existing hot reload no longer spam the logs. Hot reload continues as usual after the existing reload finishes.

By @​goto-bus-stop in #​8336

Prevent query planning errors for @shareable mutation fields (PR #​8352)

Query planning a mutation operation that executes a @shareable mutation field at the top level may unexpectedly error when attempting to generate a plan where that mutation field is called more than once across multiple subgraphs. Query planning now avoids generating such plans.

By @​sachindshinde in #​8352

Prevent UpDownCounter drift using RAII guards (PR #​8379)

UpDownCounters now use RAII guards instead of manual incrementing and decrementing, ensuring they're always decremented when dropped.

This fix resolves drift in apollo.router.opened.subscriptions that occurred due to manual incrementing and decrementing.

By @​BrynCooke in #​8379

Reduce Rhai short circuit response log noise (PR #​8364)

Rhai scripts that short-circuit the pipeline by throwing now only log an error if a response body isn't present.

For example the following will NOT log:

    throw #{
        status: 403,
        body: #{
            errors: [#{
                message: "Custom error with body",
                extensions: #{
                    code: "FORBIDDEN"
                }
            }]
        }
    };

For example the following WILL log:

throw "An error occurred without a body";

By @​BrynCooke in #​8364

Prevent query planning error where @requires subgraph jump fetches @key from wrong subgraph (PR #​8016)

During query planning, a subgraph jump added due to a @requires field may sometimes try to collect the necessary @key fields from an upstream subgraph fetch as an optimization, but it wasn't properly checking whether that subgraph had those fields. This is now fixed and resolves query planning errors with messages like "Cannot add selection of field T.id to selection set of parent type T".

By @​sachindshinde in #​8016

Reduce log level for interrupted WebSocket streams (PR #​8344)

The router now logs interrupted WebSocket streams at trace level instead of error level.

Previously, WebSocket stream interruptions logged at error level, creating excessive noise in logs when clients disconnected normally or networks experienced transient issues. Client disconnections and network interruptions are expected operational events that don't require immediate attention.

Your logs will now be cleaner and more actionable, making genuine errors easier to spot. You can enable trace level logging when debugging WebSocket connection issues.

By @​bnjjj in #​8344

Respect Redis cluster slots when inserting multiple items (PR #​8185)

The existing insert code would silently fail when trying to insert multiple values that correspond to different Redis cluster hash slots. This change corrects that behavior, raises errors when inserts fail, and adds new metrics to track Redis client health.

New metrics:

• apollo.router.cache.redis.unresponsive: counter for 'unresponsive' events raised by the Redis library
  • kind: Redis cache purpose (APQ, query planner, entity)
  • server: Redis server that became unresponsive
• apollo.router.cache.redis.reconnection: counter for 'reconnect' events raised by the Redis library
  • kind: Redis cache purpose (APQ, query planner, entity)
  • server: Redis server that required client reconnection

By @​carodewig in #​8185

Prevent unnecessary precomputation during query planner construction (PR #​8373)

A regression introduced in v2.5.0 caused query planner construction to unnecessarily precompute metadata, leading to increased CPU and memory utilization during supergraph loading. Query planner construction now correctly avoids this unnecessary precomputation.

By @​sachindshinde in #​8373

Update cache key version for entity caching (PR #​8458)

[!IMPORTANT]
If you have enabled Entity caching, this release contains changes that necessarily alter the hashing algorithm used for the cache keys. You should anticipate additional cache regeneration cost when updating between these versions while the new hashing algorithm comes into service.

The entity cache key version has been bumped to avoid keeping invalid cached data for too long (fixed in #​8456).

By @​bnjjj in #​8458

📃 Configuration

Add telemetry instrumentation config for http_client headers (PR #​8349)

A new telemetry instrumentation configuration for http_client spans allows request headers added by Rhai scripts to be attached to the http_client span. The some_rhai_response_header value remains available on the subgraph span as before.

telemetry:
  instrumentation:
    spans:
      mode: spec_compliant
      subgraph:
        attributes:
          http.response.header.some_rhai_response_header:
            subgraph_response_header: "some_rhai_response_header"
      http_client:
        attributes:
          http.request.header.some_rhai_request_header:
            request_header: "some_rhai_request_header"

By @​bonnici in #​8349

Promote Subgraph Insights metrics flag to general availability (PR #​8392)

The subgraph_metrics config flag that powers the Studio Subgraph Insights feature is now promoted from preview to general availability.
The flag name has been updated from preview_subgraph_metrics to

telemetry:
  apollo:
    subgraph_metrics: true

By @​david_castaneda in #​8392

🛠 Maintenance

Add export destination details to trace and metrics error messages (PR #​8363)

Error messages raised during tracing and metric exports now indicate whether the error occurred when exporting to Apollo Studio or to your configured OTLP or Zipkin endpoint. For example, errors that occur when exporting Apollo Studio traces look like:
OpenTelemetry trace error occurred: [apollo traces] <etc>
while errors that occur when exporting traces to your configured OTLP endpoint look like:
OpenTelemetry trace error occurred: [otlp traces] <etc>

By @​bonnici in #​8363

📚 Documentation

Change MCP default port from 5000 to 8000 (PR #​8375)

MCP's default port has changed from 5000 to 8000.

Add Render and Railway deployment guides (PR #​8242)

Two new deployment guides are now available for popular hosting platforms: Render and Railway.

By @​the-gigi-apollo in #​8242

Add comprehensive context key reference (PR #​8420)

The documentation now includes a comprehensive reference for all context keys the router supports.

By @​faisalwaseem in #​8420

Reorganize observability documentation structure (PR #​8183)

Restructured the router observability and telemetry documentation to improve content discoverability and user experience. GraphOS insights documentation and router OpenTelemetry telemetry documentation are now in separate sections, with APM-specific documentation organized in dedicated folders for each APM provider (Datadog, Dynatrace, Jaeger, Prometheus, New Relic, Zipkin). This reorganization makes it easier for users to find relevant monitoring and observability configuration for their specific APM tools.

By @​Robert113289 in #​8183

Add comprehensive Datadog integration documentation (PR #​8319)

The Datadog APM guide has been expanded to include the OpenTelemetry Collector, recommended router telemetry configuration, and out-of-the-box dashboard templates:

• New pages: Connection methods overview, OpenTelemetry Collector setup, router instrumentation, and dashboard template
• Structure: Complete configurations upfront, followed by detailed explanations and best practices

By @​Robert113289 in #​8319

Clarify timeout hierarchy for traffic shaping (PR #​8203)

The docu

---

Configuration

📅 Schedule: Branch creation - At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday ( * 0-4,22-23 * * 1-5 ), Only on Sunday and Saturday ( * * * * 0,6 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.